TUCoPS :: Oracle :: va1599.htm

Oracle PeopleTools – Authentication Weakness
CVE-2008-4000: Oracle PeopleTools – Authentication Weakness
CVE-2008-4000: Oracle PeopleTools – Authentication Weakness



PeopleSoft Enterprise applications architecture is built around the proprietary PeopleTools technology. PeopleTools user authentication mechanism requires a user to provide the correct credentials in order to gain access through the web interface. An account lockout policy disables a user account if an incorrect password is entered a specified number of times over a specified period. =0D
=0D
=0D
Scope=0D
=0D
Imperva=92s Application Defense Center conducts extensive research on enterprise applications on behalf of its customers, including research on applications like PeopleSoft, SAP and Oracle EBS. During its research, the team has identified a security flaw related to PeopleTools authentication mechanism and account lock-out policy. =0D
=0D
=0D
Findings=0D
=0D
By observing the system=92s response to repeated authentication attempts, an attacker can brute force valid user credentials even though the account lock-out mechanism is enabled. The attacker could use the compromised credentials once the account is unlocked by an administrator. =0D
=0D
=0D
Details=0D
=0D
Upon a false login attempt, the message =93Your User ID and/or Password are invalid=94 is returned to the user. When the correct password is entered, and the account has been locked, the message =93Your account has been disabled=94 is returned. Therefore an attacker can conduct a brute force attack even after the account has been locked. =0D
=0D
Once the account is unlocked, PeopleTools does not enforce password changing. Therefore the compromised set of credentials can be used to break into the unlocked account. =0D
=0D
=0D
Exploit=0D
=0D
Brute force login to the application until the correct password is detected. =0D
=0D
=0D
Vulnerability ID=0D
=0D
CVE-2008-4000 =0D
=0D
=0D
Tested Versions=0D
=0D
Vulnerable=0D
PeopleTools 8.49 (8.4x) =0D
=0D
=0D
Vendor's Status=0D
=0D
Vendor notified on August 4, 2008. Patch released by vendor on October 14, 2008. =0D
=0D
=0D
Workaround=0D
=0D
=0D
Within PeopleSoft, select the =93Enable password controls=94 checkbox and then define the number of days that a password is valid. The actual number of days does not matter for this purpose.=0D
When an account is locked because of too many login attempts, the administrator can unlock the account and then manually set the status of the password for the account to =93expired=94. This will force the user to change the password during the next login.=0D
An alternative workaround is to create a custom Web application policy in the SecureSphere Web Application Firewall. The policy match criteria would include the URL prefix of the PeopleSoft login page (the action URL for the authentication form) and the number of occurrences within a specified period of time.=0D
=0D
=0D
Discovered by:=0D
=0D
Yaniv Azaria of Imperva=92s ADC =0D
=0D
Disclaimer=0D
The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user=92s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.=0D
=0D
Copyright =A9 2007 Imperva, Inc.=0D
Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, adc@imperva.com for permission. Sections=0D 
ADC Security Advisories=0D
=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH